you can increase bs to speed things up (i use 16m or 8m, as my disk has 16m buffer)

Code:

$ echo > /label
$ bsdlabel -R /dev/ad4s2 /label

this will clear bsdlabels from ad4s2, this means that you no longer will see
/dev/ad4s2d, /dev/ad4s2e, /dev/ad4s2f, /dev/ad4s2g
Q: Why you'd like to do that?
A: Because we are going to encrypt entire slice /dev/ad4s2

Step 3) Initialize GELI
for this one i won't use keyfile, only password

and now repeat step 3 one time, and go straight to step 5 (skip step 4)
This is necessary to know what values to enter for bsdlabel
and you need to repeat step 3, because otherwise you will get warning otherwiseyes, it sux

Step 11.b)
do the same thing as in step 4
and the reinitialize geli, for /dev/ad4s3 (step 11), you don't need to generate new key
and then do same thing as in step 5, but
this time you only need to add one label (d: )

NOTE
Don't forget passwords
and don't lose key
keep key in safe place (usb stick perhaps)
make backup for key, just in case
it's possible to leave only /boot unencrypted, but for that you might need another HDD
also it is possible to encrypt entire disk, but then you need usb stick with /boot on it, and pc that can boot from flash

to those who wonder, why swap is encrypted separately?
That's because, i don't need password for swap encryption.
it will use one time encryption... so there is no way to decrypt that
Also if necessary you modify it and use it elsewhere later (for example create d: partion)

I hope this was useful for someone...
if you got questions, ask, i will answer....

and if anyone have better idea, how to avoid, annoying step 4, let me know

UPDATE: 1
When you unmount encrypted drive, it will still be accessible (with dd for example)
you need to detach it

Code:

geli detach /dev/ad0s1f.eli

And here's important stuff:
if you use encrypted usb stick.....
don't forget to detach it after you unmount it.....
failing to do so will/may cause panic
this is for everything....
probably including disk images

UPDATE: 2

Quote:

Originally Posted by Carpetsmoker

You can also use a image instead of a ``real'' filesystem, for example on FreeBSD:

First create a image, 100MB in this case:

$dd if=/dev/zero of=secret.img bs=1024K count=100

Next use mdconfig to create a /dev entry:

#mdconfig -at vnode -f secret.img

Next you can follow the normal stept for creating an encrypted filesystem (i.e. Killasmurf's FreeBSD + Geli), using md0.

You can use#mdconfig -du0
to detach the device.

This is much more flexible and faster, and you can set it up any time, no need to newfs stuff ...

Before you use

Code:

# mdconfig -du0

to detach device (file in this case), as suggested by Carpetsmoker
make sure you use geli detach

Code:

geli detach /dev/md0.eli

For reasons read update 1

UPDATE: 3
At step 4, you my tray to skip geli detach and continue to step 5 and 6, if there are no weird errors (i had some), if you get errors fall back to this guide (in short to step 4,3,5,6...)

so if you get errors do, 1,2,3,4,3,5,6,7,8,9,10,11
if you don't get errors do 1,2,3,4,5,6,7,8,9,10,11

If you feel confused, ignore this update, and pm me (or make post)..... i'll se if i can improve things)

killasmurf86, this is a great post with plenty of useful data. When I first started using Geli I found navigating the documentation to be slightly daunting, but you have provided a concise how-to that may make Geli on FreeBSD more accessible to people who would otherwise go with a Linux solution to disk encryption.